It seems no matter what group I add an account to the ldap memberOf finds it except for the Domain Users group. Is there a specific exclusion of this group somewhere? It doesn't appear to be an issue with the space in the name because if I test with other default groups like Domain Admins it works. I am getting the same result from both the ldap attribute map as well as trying to use the Domain Users group in a DAP policy. A debug ldap 255 returns every other group membership for an account except for Domain Users.
When I issue the command 'sh ad-group LDAP filter "Domain " ' the Domain Users group is in the results list, so it is able to see it and it exists.
Thanks for the info. Based on your input I have created 2 different DAPs, one using the primaryGoupID of 513 to capture the standard account Domain Users and one that uses memberOf = Domain Users for any accounts that might have had there primaryGroupID changed. It seems to be working.